Since PHP5, methods can return objects (including $this). This enables you to chain the method calls after preparing your class by returning the object itself. Therefore, “Method chaining” may save you e.g. much copy & paste or chars to type, reducing typing time for dozens of $obj->method() calls.

Hash-based Message Authentication Codes (HMAC)1) are very useful. Especially HMAC-SHA-1 is used by more and more webservices (e.g. Amazon S3) to verify if a request comes from a valid user (by using a shared secret/key + submitting the result of HMAC-SHA-1($request)). The easiest way to generate them – hash_hmac() – is only available for PHP > 5.1.2 and I saw many system where the function is not available. I even saw people installing the whole PEAR system just to get PEAR::Crypt_HMAC running.

If you need a simple function for creating SHA-1 based HMACs, you may be interested in the following:

<?php/**
* Returns the HMAC-SHA-1 of a string
*
* @param string The data to hash.
* @param string The key to use. Use ASCII only for best compatibility.
* Otherwise, you have to take care about using the same encoding in
* every case.
* @param bool (optional) TRUE leads to PHP warnings if a non-ASCII-string was
* submitted as key. FALSE will suppress this check. Default is TRUE.
* @return string The HMAC-SHA1 of the data.
* @author Andreas Haerter
* @link http://en.wikipedia.org/wiki/HMAC
* @link http://tools.ietf.org/html/rfc2104
* @link http://blog.andreas-haerter.com/2010/09/30/hmac-sha-1-php
* @license GPLv2 (http://www.gnu.org/licenses/gpl2.html)
* @license New/3-clause BSD (http://opensource.org/licenses/bsd-license.php)
*/function hmac_sha1($str,$key,$warn_nonasciikey=true){//check: key consists of ASCII chars only?//this should prevent unexpected (=not equal results) when mixing this//implementation and base64_encode(hash_hmac("sha1", $str, $key, true))//regarding different encodings etc.if(!empty($warn_nonasciikey)//search for any bytes which are outside the ASCII range...//note: the regex is *REALLY* fast. Even a "quickcheck" with ctype_alnum()// won't make the things faster but slower on *common* input!&&preg_match('/(?:[^\x00-\x7F])/u',$key)===1){//ATTENTION: single quotes are needed here! Otherwise, PCRE is not able to find the ending delimiter!//inform developerstrigger_error(//text__FUNCTION__.":non-ASCII key may lead to unexpected results when switching encodings!",//typeE_USER_WARNING);}//use PHP's built in functionality if available (~20% faster than the//following script implementation)if(function_exists("hash_hmac")){returnbase64_encode(hash_hmac("sha1",$str,$key,true));}//create the secret based on the given key$key_lenght=strlen($key);//key is longer than 64 bytes, use the hash of itif($key_lenght>64){$key=sha1($key);$key_length=40;}//pad secret with 0x0 to get a 64 byte secret?if($key_lenght<64){$secret=$key.str_repeat(chr(0),(64-$key_lenght));}else{//64 bytes long, we can use the key directly$secret=$key;}//hash and return itreturnbase64_encode(sha1(//create the string we have to hash($secret^str_repeat(chr(0x5c),64)).//pad the key for inner digest//subhashsha1(//create substring we have to hash($secret^str_repeat(chr(0x36),64)).//pad the key for outer digest$str,//we need RAW output!true),//we need RAW output!true));}//exampleecho hmac_sha1("this is the data to hash","my secret key, ASCII only for best compatibility");?>

Fifteen successful years are gone since Rasmus Lerdorf released PHP 1.0 – a long time for a software, especially for a language generally grown and maintained as an open source project. Here's to the next 15 years!

I did my first steps regarding web development with PHP3, first serious projects with PHP4.1 (back then, MSIE 6 was brand new and innovative as hell ).

First of all, many PHP newbies do not even know that echo is not a function but a language construct. This means, the following two lines of code do the same:

echo"Hello world\n";//because echo is NO function, brackets are not needed.echo("Hello world\n");

IMHO, you should use the first variant without brackets to signalize that echo is not a function2).

But even experienced developers do not know the possibility to pass more than one parameter - there is no need to concatenate strings with a dot (which may be useful in some situations). The following code does the same three times:

$str1="one";$str2="two";$str3="three\n\n";//newbie style, most overhead because echo is called more often than neededecho$str1;echo$str2;echo$str3;//common style with concatenated string (on my machines with PHP 5.2,//64bit *ix, this is the fastest)echo$str1.$str2.$str3;//little known: pass more than one parameter (on my machines with PHP <5.1,//this is the fastest)echo$str1,$str2,$str3;

My personal experience/small note about the performance: the more variables are involved + the bigger their data is, the slower is a concatenated string in comparison to passing the vars as parameter. But the difference is getting really small on PHP >=5.2. Additionally, echo is really fast, no matter if you use concatenation or commas. Just prevent unneeded echo calls and everything is fine.

Note: If safe mode is enabled, the uid of the script is added to the realm part of the WWW-Authenticate header.

I just talked to one of my friends who did not notice the safe mode behavior, he had problems because HTTP digest authentication simply did not work on his server where safe mode is active. Unfortunately, the manual is not providing an example working with both active and inactive safe mode, therefore I am releasing one here. You may use the function directly… or better build a nice auth-class for doing the job. However, I think the example should help in both cases providing all needed information for creating your own HTTP digest authentication. Have fun.